摘要
根据shellcode的API函数及系统调用对栈帧的影响,定义了EBP异常、Ret异常和长度异常,并在此基础上提出了基于栈异常的shellcode检测方法——S-Tracker.该方法遍历特定敏感API函数的栈帧链、检测异常、定位漏洞函数和Shellcode代码,并采用栈帧重构解决了栈帧中的EBP缺失或破坏的问题.实验结果表明:S-Tracker能有效检测到基于普通shellcode、混合型shellcode以及纯ROP shellcode的攻击行为,具备追踪shellcode分布区域和EIP跳转函数的功能,且其性能开销较小、没有误报;与微软EMET工具相比,STracker在内核层实现,更加难以被攻击者绕过.
Due to the impact of shellcode's API(application programming interface)functions and system calls on stack frame,the abnormalities of EBP(extended base pointer),Ret address and stack frame length were defined.Then S-Tracker,a method for shellcode attribution based on stack abnormity was proposed.This method is able to sense stack abnormity,locate vulnerable functions and shellcode memory area by stack walking.With stack reconstruction,the challenging issue of EBP omission or EBP breach is also successfully solved.The experimental results demonstrate this method's effectiveness on the detection of general shellcode,hybrid shellcode,and fully ROP(return oriented programing)-based shellcode with less performance overhead and no false positive.The capability on roughly attributing shellcode and vulnerable function was proved at the same time.Comparing with Microsoft's EMET(enhanced mitigation experience toolkit),this method,deeply rooted in the kernel level,is much more difficult to bypass,and meanwhile is more effective on fully ROP-based shellcode detection.
出处
《华中科技大学学报(自然科学版)》
EI
CAS
CSCD
北大核心
2014年第11期39-46,共8页
Journal of Huazhong University of Science and Technology(Natural Science Edition)
基金
国家重点基础研究发展计划资助项目(2014CB340600)
国家自然科学基金资助项目(61332019
61373168
61202387
61202385)
中国博士后科学基金资助项目(2012M510641)
武汉市青年科技晨光计划资助项目(2012710367)
关键词
软件安全
shellcode检测
栈帧遍历
栈异常
ROP攻击
software security
shellcode attribution
stack walking
stack abnormity
ROP(return oriented programing)-based attack
